Hello,
I was wondering if you knew any good software for blocking outgoing connections? I know OpenSnitch on Linux that works well, but it is only available on Linux. There is Little Snitch on MacOS, but it is expensive. An alternative called LuLu exists, but I am not sure if it is legit. It is open source though, and I wanted to know if you would recommend it. If not, is there any other software or brew package or something that can help with that?
Thank you.
LuLu is not a bad option, go for it.
Lulu is good. Not quite as advanced as Little Snitch (Mini) but if your budget is tight it could be an option.
Just might be good to also try the recently introduced free version of Little Snitch:
It seems more feature rich. And allows to add multiple blocklists. Personally I use the licensed version, but would love if you report back on how the Mini version works for you.
Okay thanks, it looks promising indeed! Is there any way to ensure Little Snitch is not doing weird stuff under the hood? It is not open source, but LuLu is… What is your stance on that?
Honestly i shouldnt be answering questions like these anymore. But just for the sake of it:
You have to trust people, whether open source or closed. It doesn’t matter much. I like open sohrce but not for the trust it gives me. It is quite irrelevant for a tool like this:
Lulu comes with these network connections enabled by default, does anyone know what their purpose is?
The burden isn’t on any random user/person to do this. The promise of open source is that if something gets popular enough, folks with expertise will have enough incentives to start paying attention to it.
This punts the trust to “an auditor”. For closed-source, there’s little chance (without the co-operation from the proprietor) that any other expert is able to qualify the produced reports.
Please, lets not dismiss the enormous work that goes in to securing FOSS just because xz was compromised the way it was (presumably by a state actor). In fact, the Andres Freund, the Microsoft engineer who found the flaw, was able to narrow down the problem due to xz’s source being readily available for inspection.[1]
xz is packaged by most Linux distributions: Due the virtue of it being that widely installed, it was subject to a sophisticated attack. There’s nothing inherent about closed-source software that shields it from it. As in, since we can’t look, we will never know (unless made public) if companies like Meta, Microsoft, Amazon, Google, Apple aren’t already subject to multiple espionage of multiple services by equally adept hostile actors. With FOSS, things are already public, for better and for worse.
It does, for the simple fact that emulating, simulating, reversing, modifying closed-source software is illegal. Whereas, some FOSS licenses even go to the extent of granting patent rights to all its users and forks.
That’s not a valid assumption (going out of business, that is). And of course, depends on the severity of the breach. For instance, Lenovo MiTMd TLS and … they’re still in business; though DigiNotar isn’t.
Not sure the exact function of the others, but they’re all system processes. There shouldn’t be any permanent negative effects to disallowing network connections to any system components as long as you’re willing to trial & error what happened when some core functionality breaks.
Thanks for this. I’m pretty sure SNTP is related to time synchronisation. No idea what mount_nfs and mount_url would be though.
Generally the thing you want is sandboxed apps with lots of mitigations enabled like macOS’s hardened runtime, but since little snitch inherently needs very deep control of your system, namely all networking, it’s really just purely down to hopes and prayers that they aren’t doing anything malicious.
I am surely not meaning to. I am just pointing out nothing is going to give you a perfect scenario. I like open source but I do not believe it to give me a better guarantee of no “weird behaviour”.
All in all open source can be more secure but only for software with many active contributors.
I do not see any relation to what i said here.
Something i have to add also which I forgot to include earlier. If you think you can’t rely on closed source, the choice for a macbook is more questionable then the firewall application you run on top of it. If you want garuantees you need network level package inspection and I wouldn’t think that that is a good idea.